Key design elements for data protection

These elements should be shaped by the rights of users, and robust supervisory and enforcement mechanisms

The age of Big Data, the growing pervasiveness of Aadhaar, and the government’s push towards a cashless and digital economy have led to a re-emergence of interest in privacy and data protection in India. Photo: Hemant Mishra/Mint

The age of Big Data, the growing pervasiveness of Aadhaar, and the government’s exhortations to “go cashless” have led to a re-emergence of interest in privacy and data protection in India. Although the operation of many laws such as the Information Technology Act, Aadhaar Act, Right to Information Act, and various other delegated legislation have an impact on the privacy of individuals, there is no comprehensive law or policy on privacy or data protection in India. The privacy bill of 2014 has been lying in cold storage, with no timelines having been indicated by the government for its reconsideration or enactment.

With a view towards a future where this glaring gap in our legal regime is filled, we suggest five key elements that should drive the design of a privacy law (when it is actually enacted), or laws that have an impact on privacy. These include the manner of collection and retention, use and processing, and sharing of data. In turn, these elements should be shaped by the rights of users, and robust supervisory and enforcement mechanisms.

First, when entities collect data, the law should require them to specify the purpose of data collection. Users should be provided with an opt-out clause, so that they can withdraw their consent for the data collection. Notably, the Lok Sabha rejected the amendment to the Aadhaar Act that sought to introduce an opt-out clause, allowing the biometric and demographic information of the Aadhaar-number holder to be deleted, leaving citizens with the unsettling feeling of having surrendered their biometrics in perpetuity. On retention, the laws should specify the manner and form of preserving data, the time limits for such retention, and whether they recognize the “right to be forgotten”.

The second element focuses on the use and processing of data. Data is constantly being collected, both actively (for example, when we give our information to register for an app) and passively (for example, through GPS tracking of our movements on Google Maps, etc.). Big Data technologies have made it easy to extrapolate personal information about individuals. A recent study found that an individual’s Facebook “likes” reveal, with a reasonable accuracy, their ethnicity, religious and political leanings, sexual orientation, and personality traits. This has meant that collection limitation (how much information we reveal about ourselves) is not enough. The law needs to focus on use limitation (how data controllers can use the information collected about their users), putting the ultimate onus on the entities that collect and control data. This also involves devising rules of proportionality and the narrow tailoring of exceptions that will govern the balancing of competing interests. Further, India can learn from European Union (EU) initiatives on data protection “by design” and “by default”, which focus on improving default privacy settings so as to reduce subsequent regulatory intervention.

Third, a privacy law or a law having an impact on privacy must focus on the sharing and transfer of data. Currently, there is no regulatory framework in place to control how data is shared by the data controller with third parties, much less any consideration of the different standards that govern the sharing of information with governmental and non-governmental entities, both within India and abroad. Our laws need to be able to deal with situations such as the Facebook-WhatsApp data-sharing policy (for commercial benefits) or the Apple-Federal Bureau of Investigation stand-off (for law enforcement).

Fourth, the design of the law should recognize the rights of users. Given that the constitutional status of the right to privacy is in flux, with the question of whether such a right exists in our constitutional framework having been referred by the Supreme Court to a Constitution Bench, it is imperative for our laws to create such a statutory right at the very least. We can take guidance from the EU framework by recognizing the rights to data quality (ensuring accuracy of personal data by allowing individuals access and correction rights); data integrity (ensuring security of data); data-breach notification (requiring users to be informed of any privacy-related breaches); and data portability (allowing users to transmit their personal data across service providers).

The fifth element is providing for supervision and redress mechanisms in the law. The success of any law depends on enforcement, which in the Indian context has traditionally been weak. Our focus, for too long, has been on writing laws, without much attention to the effectiveness of redressal mechanisms. This is best exemplified in the Aadhaar Act, which only permits the UIDAI (Unique Identification Authority of India), and not the Aadhaar number holder, to initiate criminal action. The accompanying enrolment regulation envisages a grievance redressal “contact centre”, although the actual process of redress and the binding nature of such a mechanism is left unspecified.

It is important that these new laws are broad enough to ensure their wide applicability, and simultaneously flexible enough to adapt to technological changes. They should also make clear whether they apply to both the state and the private sector, and if so, whether different standards apply to them. Drafting laws with these key principles in mind will only be the start of a long and difficult road ahead, in terms of making India compliant with globally accepted privacy and data-protection standards, but it is an important step forward.

Vrinda Bhandari and Renuka Sane are, respectively, a practising advocate in Delhi and visiting faculty at the Indian Statistical Institute, Delhi Centre.